There appear to be a couple of things that I don't understand. It
appears that while you have written you VL policy, you haven't written a
Launch Control Policy (which goes in the owner NV index). What your LCP
will be depends on the processor, which you didn't mention in you post.
That is the place the tboot is validated by the SINIT module, and then
when it returns tboot validates the remainder of the modules in grub.
It may be possible to do what you tried, but I have always had to have a
LCP, which is where tboot and it command line are validated, so the
first tb_polgen line is the one for vmlinuz-2.6.32-279...
Charles
From: Charles Bushong [mailto:busho...@gmail.com]
Sent: Monday, March 25, 2013 8:52 AM
To: tboot-devel@lists.sourceforge.net
Subject: [tboot-devel] verifying module against policy failed
Hi all,
I'm trying to get tboot up and running for my first time, and this list
has been a great help. However it seems I'm running into some problems
when actually validating the modules. I was hoping someone might have
some insight as to what I'm doing wrong. I'm using tboot 1.7.3 and
legacy grub if it makes a difference.
I get ownership and define the nvram indicies without much issue
(finally). Then I create and write the v1 policy with this:
tb_polgen --create --type nonfatal vl_ver1.pol
tb_polgen --add --num 0 --pcr 18 --hash image --cmdline
"logging=vga,serial,memory loglvl=all" --image /boot/tboot.gz
vl_ver1.pol
tb_polgen --add --num 1 --pcr 19 --hash image --cmdline
"$kernel_cmdline" --image /boot/vmlinuz-2.6.32-279.5.1.el6.x86_64
vl_ver1.pol
tb_polgen --add --num 2 --pcr 19 --hash image --cmdline "" --image
/boot/initramfs-2.6.32-279.5.1.el6.x86_64.img vl_ver1.pol
lcp_writepol -i 0x20000001 -f vl_ver1.pol -p $TPM_PASS
There are a few red flags that are sticking out to me.
1) Does this post-GETSEC[SENTER] error code mean anything?
TBOOT: TXT.ERRORCODE: 0xc0000001
TBOOT: AC module error : acm_type=0x1, progress=0x00, error=0x0
2) Modules failing.
TBOOT: verifying module "
/vmlinuz-2.6.32-279.5.1.el6.x86_64 (kernel command line)"...
TBOOT: verification failed
TBOOT: verifying module against policy failed.
TBOOT: verifying module "
/initramfs-2.6.32-279.5.1.el6.x86_64.img"...
TBOOT: verification failed
TBOOT: verifying module against policy failed.
TBOOT: all modules are verified
I can't figure out why it's reading the policy without issue, getting
into GETSEC[SENTER], and then still failing the policy check. Any help
or points in the right direction would be appreciated. Thanks!
-Charles
------------------------------------------------------------------------------
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
tboot-devel mailing list
tboot-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tboot-devel
